Specific API is added to multiple Products in API Management, want to set 'Subscription required' on API level

2
votes

I have a couple of Products in my API Management instance, let's call them Product 1 and Product 2.
Both of these products have an API added called Inventory.

For Product 1 I have set Subscription required to true.
For Product 2 I have set Subscription required to false. Product 2 subscription setting

So far, this works great.

Now, I have set the Subscription required flag to true on my Inventory API also. I want to enforce people specify a valid subscription key when calling this API. API settings with subscription required set to true What I'm noticing though, this flag on API-level isn't enforced (properly?). I'm still able to invoke the Inventory API without a subscription key.

My guess is, the Product 2 policy is overruling the Subscription required setting which is set on the API level. Is this correct?
And my actual question is, how to enforce a specific API that always requires a valid subscription key while still having an 'open' Product?

2
azureazure-api-management
Emm, per my searching, I found product is used for grouping apis to publish, so how to make one api both in 2 products and one need subscription key while another no need? One api only have one url. My testing result is that when check the Subscription required, the url need subscription key while no need the key when not check. i.stack.imgur.com/zwbpM.png Did I ignore something important?Tiny Wang
We're using it to group API's, indeed. We have several 'customers' of our API's and have created a Product for each of them. At this time, we're transitioning to using subscriptions, and we have 1 Product which doesn't require a subscription. However, there are a couple of APIs which we want to enforce having a valid subscription key. We want those APIs to be inside the Product for management purposes but grant subscriptions for the individual users/processes accessing these APIs.Jan_V
Did you create several api instances with the same backend endpoint?Tiny Wang
At this time we're using the same API instances. But I think you're on to something. We could (or maybe should) create multiple API instances to circumvent the issue. It's not a solution/workaround we can live with at this moment in time though. I'd expect the (more granular) setting of the specific API would override the setting from the Product.Jan_V

2 Answers

2
votes

As long as the API is attached to an open product you can always call it without a subscription, this is by design. If you want to enforce a subscription key to be sent, you have either to remove it from that open product or mark it as a subscription required.

Adding a policy is really inefficient and dirty for the following reasons

  1. You will need to keep track all the subscription keys values (removed, added, regenerated...etc).

  2. All the other polices precedes the checking policy will be executed before the request is denied.

  3. if you decide to change the subscription key header name, you will have to go through all the checking policies and modify them.

1
votes

I test it in my side and also same feature as yours. When I use two products(one enable Requires subscription and the other disable Requires subscription) and both of them has one api in it. The api will not check subscription key even though I have enabled its Subscription required.

As a workaround, you can add a policy in your api <outbound> like below. The added policy is used to check the subscription key manually.

enter image description here